Now of course it would be easy to slap the hide of NAC, IDS, and DLP technologies, but why kick something when it is down, besides we have Stiennon for that (here)…so I give you the 11 worst ideas in security, presented in far less a grumpy format than Ranum’s 6 dumbest ideas in security (here), and of course I kicked it up to 11…

Those bastions of knowledge, defenders of the objective faith, and creators of 2-page, in depth, market analysis reports. They don’t actually analyze security they analyze the security market, they say cool things like “By the end of 2007, 75% of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses.” and come up with amusing names and acronyms, (did you know that NBA – Network Behavior Analysis – was at one time called NADS – Network Anomaly Detection System – you can imagine the fun Gartner could of had with an overview of the NADS market). I spent years as an analyst myself and I loved my time, but I will always regret that analysts never actually test, demo, or even interact with the technology they so confidently and assertively write about.

10. Microsoft CPAV (Central Point Anti-Virus – when turning it up to 11 is 10 too many)

Many of you may not remember that Microsoft used to ship an integrated AV product – CPAV (Central Point Anti Virus) CPAV = total suckage. It was a simpler time, malware consisted of threats like the stoned virus (infect the computer, make it look droopy and display a “your computers stoned” message) and you really didn’t need quality, but you did need something that didn’t completely impact user productivity, suck all the computing resources, and disrupt other services – ah the good old days.

9. The Vulnerability market (what can I get for $.63?)

What happens if you create a market and no one buys? Nothing, but a whole lot of complaining from a whole lot of grumpy researchers about how no one takes security seriously and what a thankless job it is to break someone else’s software and then not be showered with accolades when you present them with the data that their software is broken.

8. Scan and Patch (The never ending hamster wheel of late nights and working weekends)

The security group will scan the environment against a database of known vulnerabilities and then harass, scare and guilt-trip the operations team into actually fixing something – it is also referred to by Philip Roth as the Jewish Mother process. This never-ending, reactionary, ad-hoc, false-positive laden, non-environmentally aware, slow, cumbersome, disruptive, snapshot in time approach equals = effectiveness fail. I have written about this before (here)

Quick Story: When I was with McAfee we acquired PGP, as part of the acquisition the McAfee IT department attempted to roll-put PGP encryption. It was a total fail. It was never properly deployed and the IT folks just gave up and moved on to some other important project, like getting their hands on some cool network sniffers. At the time I thought Wow we own this crap and can’t deploy it, how the hell will the people we sell it to – it would require like a ton of bureaucracy and an army of civil servants to be successful, and this is why the federal government loves PKI.

6. Security Through Obscurity (These are not gur qebvqf lbh are looking for – guess how I cryptoed that)

What is worse than no security? ineffective security that doesn’t work – WEP is like putting up an aluminum foil door and pretending that no one can break through it – far better to just not have a door and know it – really not a lot more to add.

4. Signature-based AV (Design fail – only works if there is parity between sigs and viruses)

Signature based AV isn’t protecting anyone anymore (here), it certainly wasn’t providing any protection against spyware or some of the nastier threats that have popped up recently. It didn’t stop blaster, or sasser, or slammer, it did nothing to help choicepoint, or the VA or the orgy of disclosure we have all become numb too. It was running happily along, updated and content on my mom’s machine when it turns out her Windows XP box was infected with some pretty nasty bits. The real problem though is the sheer volume of malware that one needs to create a signature against – and wha does one do with a 5 million signature dat file – no wonder every time Symantec runs an application dies

There was a time when I had some passion for htis topic, right or wrong I had an opinion and was looking for responsible disclosure (here). I have come to realize that a. It really doesn’t matter and b. those with malicious intent are far less concerned with silly disclosure debates than those fighting the good fight. The vulnerability disclosure debate is the security’s equivalent of Britney Spears – no matter how bad it gets, you can’t help but be curious.

2. Passwords (2Chr177xh0ff)

Passwords suck (here), they are cumbersome, difficult to manage, prone to attack and require continuous care and feeding – they also aren’t terribly effective, but they are the best we can do with what we have, so remember choose wisely and don’t feel like less than a man simply because you have to use a password manager, everybody needs a little assistance now and again.

1. Security Vendors and the VC’s that love them (The root of all security evil)

The goal of the security industry is not to secure, the goal of the security industry is to make money. I think we all know this conceptually, and even with the best intentions in our capitalistic society we must understand that security companies are motivated by profits. This isn’t necessarily a bad thing, but it should help to dispel the myth that security companies are smarter than hackers, they aren’t, they are just smarter than the buyers – from (here)